5bbef01874be4ea423f9f16625f2547780c63ab22f8ff173063fe39c3b1741e9

Analysis

max time kernel
120s
max time network
21s
platform
windows7_x64
resource
win7-20240729-en
resource tags

arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
submitted
18/08/2024, 03:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a20ca8c0641b7da0aea16281c59eb0d0N.exe
Size

3.2MB
MD5

a20ca8c0641b7da0aea16281c59eb0d0
SHA1

34701817287c0550c0d85d594e393556ac9a4df9
SHA256

5bbef01874be4ea423f9f16625f2547780c63ab22f8ff173063fe39c3b1741e9
SHA512

97383f2aa9cffd65f42142c2a2fe85bd020f32eb98c33e20a3e79a838ee374e21564d2420ea3388f6962ade4ff35b479b02fb7fcea0031b8f2c8b75d87292f17
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBOB/bSqz8b6LNXJqI20t:sxX7QnxrloE5dpUpRbVz8eLFcz

Score

9^/10

credential_access discovery persistence spyware stealer

Malware Config

Signatures

Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysabod.exe	a20ca8c0641b7da0aea16281c59eb0d0N.exe

Executes dropped EXE 2 IoCs

pid	Process
2400	sysabod.exe
2232	xbodsys.exe

Loads dropped DLL 2 IoCs

pid	Process
2244	a20ca8c0641b7da0aea16281c59eb0d0N.exe
2244	a20ca8c0641b7da0aea16281c59eb0d0N.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\Files9Z\\xbodsys.exe"	a20ca8c0641b7da0aea16281c59eb0d0N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\KaVBV7\\optidevsys.exe"	a20ca8c0641b7da0aea16281c59eb0d0N.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a20ca8c0641b7da0aea16281c59eb0d0N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sysabod.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	xbodsys.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2244	a20ca8c0641b7da0aea16281c59eb0d0N.exe
2244	a20ca8c0641b7da0aea16281c59eb0d0N.exe
2400	sysabod.exe
2232	xbodsys.exe
2400	sysabod.exe
2232	xbodsys.exe
2400	sysabod.exe
2232	xbodsys.exe
2400	sysabod.exe
2232	xbodsys.exe
2400	sysabod.exe
2232	xbodsys.exe
2400	sysabod.exe
2232	xbodsys.exe
2400	sysabod.exe
2232	xbodsys.exe
2400	sysabod.exe
2232	xbodsys.exe
2400	sysabod.exe
2232	xbodsys.exe
2400	sysabod.exe
2232	xbodsys.exe
2400	sysabod.exe
2232	xbodsys.exe
2400	sysabod.exe
2232	xbodsys.exe
2400	sysabod.exe
2232	xbodsys.exe
2400	sysabod.exe
2232	xbodsys.exe
2400	sysabod.exe
2232	xbodsys.exe
2400	sysabod.exe
2232	xbodsys.exe
2400	sysabod.exe
2232	xbodsys.exe
2400	sysabod.exe
2232	xbodsys.exe
2400	sysabod.exe
2232	xbodsys.exe
2400	sysabod.exe
2232	xbodsys.exe
2400	sysabod.exe
2232	xbodsys.exe
2400	sysabod.exe
2232	xbodsys.exe
2400	sysabod.exe
2232	xbodsys.exe
2400	sysabod.exe
2232	xbodsys.exe
2400	sysabod.exe
2232	xbodsys.exe
2400	sysabod.exe
2232	xbodsys.exe
2400	sysabod.exe
2232	xbodsys.exe
2400	sysabod.exe
2232	xbodsys.exe
2400	sysabod.exe
2232	xbodsys.exe
2400	sysabod.exe
2232	xbodsys.exe
2400	sysabod.exe
2232	xbodsys.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2244 wrote to memory of 2400	2244	a20ca8c0641b7da0aea16281c59eb0d0N.exe	30
PID 2244 wrote to memory of 2400	2244	a20ca8c0641b7da0aea16281c59eb0d0N.exe	30
PID 2244 wrote to memory of 2400	2244	a20ca8c0641b7da0aea16281c59eb0d0N.exe	30
PID 2244 wrote to memory of 2400	2244	a20ca8c0641b7da0aea16281c59eb0d0N.exe	30
PID 2244 wrote to memory of 2232	2244	a20ca8c0641b7da0aea16281c59eb0d0N.exe	31
PID 2244 wrote to memory of 2232	2244	a20ca8c0641b7da0aea16281c59eb0d0N.exe	31
PID 2244 wrote to memory of 2232	2244	a20ca8c0641b7da0aea16281c59eb0d0N.exe	31
PID 2244 wrote to memory of 2232	2244	a20ca8c0641b7da0aea16281c59eb0d0N.exe	31

C:\Users\Admin\AppData\Local\Temp\a20ca8c0641b7da0aea16281c59eb0d0N.exe
"C:\Users\Admin\AppData\Local\Temp\a20ca8c0641b7da0aea16281c59eb0d0N.exe"
1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2244
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysabod.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysabod.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:2400
- C:\Files9Z\xbodsys.exe
  C:\Files9Z\xbodsys.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:2232

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Files9Z\xbodsys.exe

Filesize
3.2MB

MD5
7eb5a5acf0912b001fd3ab14751c2cbb

SHA1
d2cfcec656e0a047e837eab4fd0b754b72be42ea

SHA256
a2cc6f2e72d84f58936f049501a8fe07098927a160e3a8649237b9a4126dccef

SHA512
c93bffe97e3ea757950cc1388966504d6f71d2913a76322498ac7504ef9c7e2468071df857572a90c8a63048a3a71fdaeb6055cf7260d7fceae08f121c9ea69b

Download Submit
C:\KaVBV7\optidevsys.exe

Filesize
15KB

MD5
baebd565738a73b1785d23f85b9b1880

SHA1
3e776227196d9cbee3a9edf120876f20e6af105e

SHA256
d451bfb56a9629b7c961f22f94e615ae1d66d53c909dab9ab26f8c2232159dd7

SHA512
3bc0de8b170643c38e93f2b6c116204a135a96435b5202c60c580af12b14787eda2041a92b0dfede92dceb5ad1f7dd232671d472556ccdd7bae26dd1918902a0

Download Submit
C:\KaVBV7\optidevsys.exe

Filesize
3.2MB

MD5
2421f3c060bdfeea04c133207607832d

SHA1
b51c27ddf2b20f775f7d6bdb5a001638c3d0da8c

SHA256
e86fee21dc28e23877ca9235a61127b9c5e0d230849d0a5b4fd1232471f41f70

SHA512
27f131dae67b2c3e3bd40ed581a593cec2bf9b52564ee3d4544b6a74dc21e1015812cbd736588e9a0513e14d22747e70cd462e9ae5c38e4fea29a6aa3b88d1be

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
171B

MD5
3d391657bf81c7afacbaa2fd56968364

SHA1
f99b5faf6ee5b1793ac383e6fd8c712ff4a15091

SHA256
e5626b7e7b78413129a03edcfb2440bd13628f7877da7d19b440218922e10c89

SHA512
882e60bbbd3d9840ff99d4e67064413624295d4680885907f485221d00b2d751bf10450a45212adfb7ec86716056565e8e61476ac322817fcdfddd577b26eb10

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
203B

MD5
6536e8fa06c9b939739c29c69bdf4273

SHA1
88c34e30b32f220ada48f6694d5fcffa896e5e25

SHA256
84df321f1ac1be5a997870036c5c526927c6810cea2d0ed4fa2b6dee473db8af

SHA512
e5f2ad5df07954602dbcfdba4db490ae2f182f51e0b697d69ffdda7cebd0a9d45aa1df284c9a1d5a8e22a815b73adfad57b980e9e6326f3a6a392656ebb22724

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysabod.exe

Filesize
3.2MB

MD5
27a2c61bb8c862bbdd7f45c1618f12e3

SHA1
ed7c56b2cd9cabb16ac623819beb4e73ade4e773

SHA256
baf073c7b76bb2c215e9b2462e75c4db1fd712b95f90c150099bce796e7b26d7

SHA512
7a143d06a8036f2a3869ab79a80bae6a8c6e05007a633f7b67a92c73aeb933514c82f0517a650957a1d344ae3fbc7992419345d31faf273ec020bb4f0a05efd6

Download Submit